I read this SANS paper and was surprised that they say using an open wifi network is illegal. It was from 2003, so have things changed?

As long as someone doesn't bypass any security, or monitor communication, shouldn't it be legal to use resources from an open network? I don't have to get explicit authorization to go to some website that was configured to be open, so why would I have to with a completely open wireless network?

If someone uses an open web proxy without explicit authorization, is that a crime?

If company X accidently makes sensitive documents available publicly on their website, you don't have to get explicit authorization to download them do you?

This whole can't use resources of completely unprotected, publicly available resources seems kind of ridiculous.

I know what you're saying, though. If it's open, shouldn't it be okay? Websites are open, and there aren't any laws about using open websites, but it's a little different. If I put up a website, and it's open to the internet, I probably had to take some steps to deliberately open that to the public. There would usually have to be a firewall rule specifically allowing that type of traffic to that specific webserver. If there is to be a domain, a domain would have to be purchased and DNS entries setup. These are things that specifically open the site to the internet, it doesn't usually happen by accident.

With wireless networks, it's different. The average user without any idea of security essentials would bring their new router home, plug it in, and say "it works!" and never change any settings, not knowing that they've created an open network. They're still not giving you permission to access their network, they just don't know any better. That being said, they probably would never know that someone connected, and wouldn't know that an illegal activity is taking place, but that still doesn't make it right for people to take advantage of it.

It's not just not having a password, it's not having any security at all. If someone boots their laptop and an AP offers its resources, you can go to jail for using its resources? What the heck? If I setup a website and have a webpage I don't want someone to connect to, it's my responsibility to make some effort to limit access. If I don't do anything at all to limit access, and someone accesses it... without bypassing ANY security measure, without malicious intent, without any notification or indication it was intended to be private, using the services it offered, there is no way they should be guilty of a crime.

Aren't people often warned when they connect to an open AP that it is insecure? It's their responsibility to make some effort, even a small one to secure it.

Last edited by Eleven on Thu Dec 08, 2011 10:54 am, edited 1 time in total.

The law doesn't state that there are different rules whether or not you have security measures in place, the law is there to protect people who don't know any better. Not everybody who buys a router is going to have to knowledge to setup security. Does that mean that person is not responsible for their own security measures? Not at all. Everyone is accountable for their own network security, that's why there is a security field to begin with.

Like I said in my previous post, would that person even know that a crime was committed? Probably not. Does that make it okay? Absolutely not.

Let me ask you a question, Eleven. If you were walking along in your neighborhood and you found that one of your neighbors had left their front door unlocked and windows open, would you go on in to the house and start using their water, electricity, cable, etc.?

This is essentially what you'd be doing by using someone else's open wifi. Sure, its not as bad as going in to their house and cleaning out their fine crystal, jewelry, and electronics, but stealing is stealing.

Most networks for free use make advertisements that this service is available. Typically a physical sign (a la coffee shop) or an acceptance agreement via the default page of the wireless service's site.

eth3real wrote:The law doesn't state that there are different rules whether or not you have security measures in place, the law is there to protect people who don't know any better. Not everybody who buys a router is going to have to knowledge to setup security. Does that mean that person is not responsible for their own security measures? Not at all. Everyone is accountable for their own network security, that's why there is a security field to begin with.

Like I said in my previous post, would that person even know that a crime was committed? Probably not. Does that make it okay? Absolutely not.

I don't know about that... The same kind of people who are computer illiterate and don't know how to make any effort to secure their AP are most often going to be the same kind of people who themselves are going to be convicted of using someone's open wifi. Heck, I'm a geek and I didn't even know it was a crime.

ziggy_567 wrote:Let me ask you a question, Eleven. If you were walking along in your neighborhood and you found that one of your neighbors had left their front door unlocked and windows open, would you go on in to the house and start using their water, electricity, cable, etc.?

This is essentially what you'd be doing by using someone else's open wifi. Sure, its not as bad as going in to their house and cleaning out their fine crystal, jewelry, and electronics, but stealing is stealing.

Apples and oranges... Open wifi networks are everywhere and an intentionally open wifi network is indistinguishable from an unintentionally open wifi network. Also, an AP offers its resources... if someone has an open door with a sign inviting you in, that shouldn't be a crime for going in.

Hate to tell you this, but not knowing the law doesn't make it legal. You can defend this as much as you want, but I didn't write the laws. You still need to check what it says for your area.

Eleven wrote:if someone has an open door with a sign inviting you in, that shouldn't be a crime for going in.

This is what we're talking about. A sign implies advertising that it is an open service. If I have an unsecured house, it is not open to the public. If I have an unsecured wireless connection, it is not open to the public. If I have a sign stating that either of these are free, then by all means, go for it.

Also, you can't honestly say that you don't know the difference between the wifi offered for free at a coffee shop, and an open wifi network in your neighborhood.

Last edited by eth3real on Thu Dec 08, 2011 11:12 am, edited 1 time in total.

eth3real wrote:Hate to tell you this, but not knowing the law doesn't make it legal. You can defend this as much as you want, but I didn't write the laws. You still need to check what it says for your area.

Yeah, I know, but my point was you said the laws are to protect people who don't know any better, I was just saying it's going to convict those same people who don't know any better.

eth3real wrote:This is what we're talking about. A sign implies advertising that it is an open service. If I have an unsecured house, it is not open to the public. If I have an unsecured wireless connection, it is not open to the public. If I have a sign stating that either of these are free, then by all means, go for it.

Also, you can't honestly say that you don't know the difference between the wifi offered for free at a coffee shop, and an open wifi network in your neighborhood.

I see where you're coming from. But rather than putting the responsibility on everyone else to go hunting for a sign, they should put the responsibility on the few people who own the AP to make an effort to secure it. Because at some point negligence becomes a factor, for example today I heard some places make it a crime to have an open AP. Those jurisdictions seem to have my point of view of putting the responsibility on the owner of the AP.

I agree that anyone setting up an access point is responsible for protecting their network, from a security standpoint. If you don't want your stuff to get stolen, don't leave it out in the open. Obviously a malicious hacker is ignoring the law when attempting to gain access and steal information.

However, my point is this: the law does not make any discrimination between an access point that is protected and an access point that is not protected. In my area, it's very clear: "unauthorized access" is a crime. Being unprotected does not grant authorization.

eth3real wrote:I agree that anyone setting up an access point is responsible for protecting their network, from a security standpoint. If you don't want your stuff to get stolen, don't leave it out in the open. Obviously a malicious hacker is ignoring the law when attempting to gain access and steal information.

However, my point is this: the law does not make any discrimination between an access point that is protected and an access point that is not protected. In my area, it's very clear: "unauthorized access" is a crime. Being unprotected does not grant authorization.

I understand the law, I just don't agree with it. :) Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized. Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

I know the difference is technical and not everyone is going to understand how to configure an AP, but that's why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

Last edited by Eleven on Thu Dec 08, 2011 11:46 am, edited 1 time in total.

As with a house with an open door, an open wifi network is not an invitation to come on in and suck up bandwidth. There must be some other invitation other than the mere existence of the wifi network. Whether it be a hotel clerk telling you to connect to hhonors, a sign on the door of the Starbucks, or a landing page with a Terms of Use, there must be some sort of invitation to use the network.

As with any legal question, if you are unsure of legality its best to not do it until you are sure. As ether3al has pointed out, ignorance of the law is no excuse.

Eleven wrote:I understand the law, I just don't agree with it. :) Personally, I view the combination of absolutely no security on the AP, and the AP offering its services as being authorized. Similar to being authorized to come in my house if I have the door wide open (no security) and invite you in when you walk by (SSID broadcasts).

I know the difference is technical and not everyone is going to understand how to configure an AP, but that's why they should read the manual, or listen to warnings they get when configuring or connecting to their AP.

Now we're starting to get on the same page.

The only difference I have, is that I think the law is not the one that's at fault here. I think the hardware manufacturers, or maybe the 802.11 standard, should require you to protect the access point during setup, and make you jump through hoops if you are absolutely sure you want your AP to be open and unprotected. This would force the lazy or non-security-aware people to at least have some sort of protection, and if they actually went through the trouble of making it open, then they knew what they were doing.